2

I had installed BIND service on my centOS 8 server with recursion yes; configuration. I noticed a very large traffic (~ 8 GB) is being sent from my server every hour and I could not detect what is the source of this traffic. then I changed the named configuration and disabled recursion: recursion no;

after disabling recursion and measuring traffic I can see the send traffic has dropped dramatically to below 200 MB. now my question is that how this recursion can cause such large send traffic?!

SAndroid
  • 21
  • 1
  • 6
  • Where are you measuring this traffic ? What role does the apache2 server play in this setup, sinced you added "apache2" as a keyword to your question. – Lorem ipsum Aug 27 '20 at 09:16
  • I'm using vnStat to measure traffic, and I'm measuring on my network interface eth0. I just wanted to make it clear that I'm using apache http server – SAndroid Aug 27 '20 at 09:20
  • ok you talking about the network interface eth0 on your apache server? Is this scenario placed in a public network? Because if so you maybe got an attack (link) : https://us-cert.cisa.gov/ncas/alerts/TA13-088A . – Lorem ipsum Aug 27 '20 at 09:23
  • yes, my server is connected to internet (not private network). based on the link you sent this attack can cause a large response traffic (`...overwhelm a victim system with DNS response traffic`), but I was experiencing large send traffic. – SAndroid Aug 27 '20 at 09:29

1 Answers1

1

recursion means that the nameserver is answering every query to his best, even for zones he is not responsible for.

Its a bad idea to enable recursion and letting him answer any query for every client without any restriction, because there will be a lot of idiots out there, that either like to use other open nameservers or even try to flood third parties with the answeres.

recursion should only be enabled for clients this nameserver has to acked as a resolver. So, if you have

recursion yes;

you should also have a restriction like:

allow-recursion { 127.0.0.1; x.x.x.x; };

and list all valid client IPs.

If this nameserver is no primary NS for domainnames, you could also open it to answer queries for allowed clients only with

allow-query { 127.0.0.1; x.x.x.x; };
allow-query-cache { 127.0.0.1; x.x.x.x };

Furthermore, if this nameserver is only responsible for a few clients, you should consider to close UDP 53 and TCP 53 for every other IP using a firewall.

phade
  • 26
  • 1
  • 3
  • many thanks for your nice explanation. my server is used for only one domain (there are not a number of hosts on it) and the defined dns zones are only for this domain as well. in this case can I safely disable recursion? – SAndroid Aug 27 '20 at 10:44